Computer misuse

31
Cybercrime and Computer Misuse and the Criminal Law Class Notes for COM347 Computer Networks

description

Its about misuse of computer

Transcript of Computer misuse

Page 1: Computer misuse

Cybercrime and Computer Misuse and

the Criminal Law

Class Notes for

COM347 Computer Networks

Page 2: Computer misuse

Cybercrime• Cybercrime is defined by British police as the use of any computer

network for crime and the high-tech criminals of the digital age have not been slow to spot the opportunities.

• The term hacking was originally used to describe an audacious practical joke, but has become better known as a term for the activities of computer enthusiasts who pit their skills against IT systems of governments and big corporations.

• The love-bug virus crippled at least 45 million computers worldwide and caused billions of dollars worth of damage. Information systems managers have long been aware of the need to maintain system security, particularly against computer fraud and sabotage. However, Information system managers may not consider their own programmers and analysts as possible perpetrators of computer fraud and sabotage.

• In addition, other programmers and analysts may be in prime positions to initiate other forms of security problems, such as computer hacking, viruses and software copyright violations. Yet it is tempting for managers to believe that most such security problems come from outside the organisation.

Page 3: Computer misuse

Cybercrime• Electronic commerce is about doing business using electronic

technologies. It can involve the transmission of data, transactions and payments, or marketing and value adding to existing products of databases.

• That data can be as simple as an invoice or as complex as an EDI message. It can also represent the exchange of tokens that represent value or the exchange of credit card numbers that represent purchases made by consumers. In all these cases there is an acceptance that the integrity and safety of the exchange has been secure from capture or interference from hackers or others wishing to gain information illegally. Website security is about keeping strangers out but also allowing controlled access to a network.

• Sometimes achieving both of these elements can be very difficult. There is a concern by consumers about sending their credit card details over the Internet

• They fear that their transaction information will be intercepted and used by someone else. On the other hand though, people now readily telephone their credit card details when paying accounts and there is not any more security in doing this.

Page 4: Computer misuse

The Law• In the past, the Criminal Law in relation to computers was unreliable as often

legislation lagged behind the increasing changes throughout the advent of modern technology.

• 1980's saw an increase in the use of computer systems and networks. It soon became apparent that the existing laws such as the Theft Act and the Criminal Damage Act were inadequate as a deterrent or suitable remedy.

• From the industry, businesses and lobbying by some MP's to curtail such problems resulted in the Computer Misuse Act (1990), a vital piece of legislation that provided new offences of unauthorized modification of computer material.

• At present, computer-enabled crimes, involving the use of computers to commit forgery, fraud, obscenity and hate speech, criminal damage or copyright violation, are all covered by the following UK laws:

• The Theft Act 1968 (on fraud) • The Telecommunications Act 1984 (section 42 relating to deception and section 43 relating to obscene material) • The Forgery and Counterfeiting Act 1981 • The Protection of Children Act 1978, the Criminal Justice Act 1988 and the Criminal Justice and Public Order Act 1994 (all on child pornography) • The Public Order Act 1986 (on racist material) • The Criminal Damage Act 1977 (to cover physical damage to computer systems) • The Copyright, Designs and Patents Act 1988

Page 5: Computer misuse

Cybercrime Legislation• There is an anomaly under current legislation that means that

although it is unlawful for you to be defrauded by a computer-related system, it is not unlawful for you to defraud a computer.

• The courts do not regard a machine to be ‘deceivable’, because it is automated. In cases involving the use of machines, including use of the Internet, as part of a deception or fraud, it has been judged that a deception cannot take place where a machine is manipulated by others to obtain a service for example giving a false credit card number when signing-up for an online service.

• The one exception to this is where the deception involves a licensed telecommunications service, such as dial-up chat lines or pay-per-view TV cards in which case it would be an offence under the Telecommunications Act 1984.

• The Law Commission has recommended that new legislation should be drawn up to deal with this anomaly.

Page 6: Computer misuse

Cyber CrimeThe Computer Misuse Act 1990 covers offences related to the penetration, alteration and damage to computer systems, namely:

• Cyber-trespass – that is, unauthorized access to systems or intent to gain such access;

• Cyber-theft – securing access to a computer in order to commit an offence or with the intent to do so;

• Cyber-violence and ‘malware’ software that intentionally causes harm such as viruses, worms or Trojans – modifying a system in a manner that impairs its operation.

Computer crime may raise issues of data protection. In this context, unauthorized access to a computer, and authorized access for unauthorized purposes, comes under the Data Protection Act 1998.

Page 7: Computer misuse

Computer Misuse ActThe created three new offences in response to the Law Commission Working Paper No. 186, on Criminal Law: Computer Misuse (Cm 819), published in October 1989.

Even before the Act, dishonest computer activities were quite well-covered by the criminal law, and in particular by theft, and related offences.

A common type of computer fraud involves gaining unauthorised access in order to transfer funds to one's own account, or that of a friend. Another common variety is to use a forged bank card to obtain money from a cash dispenser. Because only the computer is deceived, it is probable that neither of these activities amounts to obtaining property by deception, since there is authority that that offence requires deception of a human mind. Nevertheless, it is clear that this type of fraud has always constituted theft.

Page 8: Computer misuse

Misuse Act…..Computers can also be used to commit the offence of blackmail, for example where a computer virus is introduced to a system (for example a time bomb, whose purpose is to corrupt or delete stored information after the lapse of a period of time), accompanied later by threats that some or all the files on the system will be corrupted unless a sum of money is paid into a particular account.

Such a virus may be introduced directly by a hacker, or simply distributed as part of a software package. If the system is in fact corrupted by a virus, or directly by an unauthorised user, the offence of criminal damage may also be committed.

In Cox v Riley (1986) 83 Crim App Rep 54, a disgruntled employee who erased programs on a printed circuit card belonging to his employer was held to have damaged the card, even though no physical damage had occurred.

There is also a range of other offences under the general criminal law, which may be committed by unauthorised computer users. Examples are theft of electricity, false accounting and suppression of documents.

A hacker who obtains unauthorised access to, and copies information from a computer storage system may also infringe the law of copyright (but confidential information is not property, and so cannot be the subject matter of theft).

Page 9: Computer misuse

Misuse Act..Nevertheless, perhaps because computer misuse was estimated to cost UK industry over £500 million annually, it was felt that the pre-existing law was inadequate in a number of respects. In particular, hacking per se was not a criminal offence, and while unauthorised users may well, in using the computer, commit other offences, there were greater evidential difficulties in prosecuting such offences than in the case of non-computer crime. Nor was the deliberate creation of computer viruses per se a criminal offence.

The least serious new offence, to be found in section 1 of the Act, makes hacking per se criminal, whether or not any harm is intended. Thus, even hacking out of curiosity, of for the challenge of breaking through a security system, is covered, so long as the hacker is aware that his access is unauthorised. The offence is triable summarily, and is punishable by a maximum of six months' imprisonment and/or £2,000 fine.

While section 1 is aimed at unauthorised access, it is not necessary actually to gain access, attempted accessing also falling within the section. It is necessary only to cause 'a computer to perform any function with intent to secure access', so that, for example, an attempt to log on, which is rejected by the computer, falls within the section. The hacker who programs his computer to search through every possible password is therefore caught, whether or not his or her attempts at accessing are successful. Mere surveillance of data displayed on a VDU is outside the scope of the section, however, even where sophisticated electronic equipment is used, which can monitor from a distance radiation signals emitted from computers ("electronic eavesdropping").

Page 10: Computer misuse

Criminal Law Act…Summary Unauthorised access to computer

material (1) A person is guilty of an offence if- • he causes a computer to perform any function with intent to

secure access to any program or data held in any computer; • the access he intends to secure is unauthorised; and • he knows at the time when he causes the computer to

perform the function that that is the case.

 (2) The intent a person has to have to commit an offence under this section need not be directed at-

• any particular program or data; • a program or data of any particular kind; or • a program or data held in any particular computer.

 (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

Page 11: Computer misuse

Misuse Act Summary

The Act identifies three specific offences:

1. Unauthorised access to computer material (that is, a program or data).

2. Unauthorised access to a computer system with intent to commit or facilitate the commission of a serious crime.

3. Unauthorised modification of computer material.

The Act defines (1) (the basic offence) as a summary offence punishable on conviction with a maximum prison sentence of six months or a maximum fine of 2000 or both. The Act goes on to describe offences (2) and (3) as triable either summarily or on indictment, and punishable with imprisonment for a term not exceeding five years or a fine or both. These sentences clearly reflect the perceived gravity of the offence and would imply that universities should take an equally serious view of hacking or virus proliferation.

Page 12: Computer misuse

Definitions of Unauthorised Access in the Higher Education Context

The offences described in the Act can be interpreted within the University and college scene and perhaps extend into areas which in the wider context would not be considered to be offences.

The examples which follow are intended as a guide to the seriousness of the offence and do not attempt to cover all eventualities.

Page 13: Computer misuse

Example 1, Unauthorised Access to Computer Material.

This would include: using another person's identifier (ID) and password without proper authority in order to use data or a program, or to alter, delete, copy or move a program or data, or simply to output a program or data (for example, to a screen or printer); laying a trap to obtain a password; reading examination papers or examination results.

The response to some actions will depend on the specific conditions of use in force. Take, for example, unauthorised borrowing of an identifier from another student in order to obtain more time for a computer project the student was required to complete. In this case both the student who borrowed the ID and the student who lent it would be deemed to have committed an offence.

Page 14: Computer misuse

Example 2, Unauthorised Access to a Computer with intent.

This would include:

– gaining access to financial or administrative records, but intent would have to be proved.

Page 15: Computer misuse

Example 3, Unauthorised Modification of Computer Material

This would include: destroying another user's files; modifying system files; creation of a virus; introduction of a local virus; introduction of a networked virus; changing examination results; and deliberately generating information to cause a complete system malfunction.

Universities and Colleges should recognise that action under disciplinary procedures is more effective if a similar view is taken across the sector and if institutions are prepared to discipline their students for offences carried out across the network on the facilities of other universities and colleges.

It is desirable that as far as possible similar offences in different institutions carry similar penalties.

Page 16: Computer misuse

The Misuse of Computers In the United Kingdom, the Law

Commission looked at the extent to which existing criminal laws covered the use of computers in five areas:

1. computer fraud;2. unauthorised obtaining of information from a computer;3. unauthorised alteration or destruction of information

stored on a computer;4. denying access to an authorised user;5. unauthorised removal of information stored on a

computer.

The Computer Misuse Act 1990 fills gaps in these areas that cannot be filled by amending existing laws.

Page 17: Computer misuse

Computer FraudThe Law Commission defined computer fraud as:. . . conduct that involves the manipulation of a

computer, by whatever method, in order dishonestly to obtain money, property, or some other advantage of value, or to cause loss.

The main offences currently covering computer fraud:

• fraud and theft;• obtaining property by deception;• false accounting;• common law conspiracy to defraud.

The courts have upheld that only the human mind can be deceived, and not a machine. It may be that the law on fraud needs amendment.

Page 18: Computer misuse

Unauthorised Obtaining of Information

The Law Commission identified three particular abuses:

1. computer hacking;2. eavesdropping on a computer;3. making unauthorised use of computers for personal benefit.

Historically, it has been difficult to convict anyone of computerhacking:

– penetration of computer systems;– alteration/destruction of data.

Under Section 1 of the Computer Misuse Act 1990, a person isguilty of an offence if:

(a) he causes a computer to perform any function with intentto secure access to any program or data held on any computer;(b) the access he intends to secure is unauthorised;(c) he knows at the time when he causes the computer toperform the function that this is the case.

Section 2 makes it a more serious offence to commit the Section 1offence with a view to further crime.

Page 19: Computer misuse

EavesdroppingEavesdropping involves:

– secret listening;– secret watching.

The aim is the acquisition of information.

Historically, there has been no right to privacy in the UK. The recently introduced UK Human Rights Bill incorporates the European Convention on Human Rights into UK law. Privacy is now recognised as a basic human right. For instance, listening to mobile telephone calls is now illegal.

Most people who misuse computers for personal benefit are insome form of legal relationship with the owner of the computer.For example, an employee who does private work on their

employer’scomputer. Here employment law can be applied. The unauthorised use of the computer is not a special issue.

Page 20: Computer misuse

Unauthorised Altering of InformationComputers store vast amounts of information about us:

– what we have in the bank;– who we call on the telephone;– what we buy in the shops;– where we travel;

Criminals who alter or destroy such information can be dealt with by

– the law on Criminal Damage;– the Computer Misuse Act 1990 (in Section 3).

The law on Criminal Damage seems to apply to physically stored data that would survive a power off-on. Some examples:

– erasing programs from the control card of a circular saw;– writing a program that shakes a hard disk to pieces.

But not:– switching off a monitor so that the display is lost.

Page 21: Computer misuse

Unauthorised Modification

Section 3 of the Computer Misuse Act 1990 provides that a person

is guilty of a criminal offence if:

(a) he does any act which causes unauthorised modification

of the contents of a computer, and(b) at the time when he does the act, he has the requisiteintent and the requisite knowledge.

The requisite intent is an intent to cause a modification to the contents of any computer and by doing so:

(i) to impair the operation of any computer;(ii) to prevent or hinder access to any program or data heldon any computer;(iii) to impair the operation of any such program or the

reliability of any such data.

Page 22: Computer misuse

Forgery

The unauthorised alteration or destruction of data may amount to forgery.

The Forgery and Counterfeiting Act 1981 says:

A person is guilty of forgery if he makes a false instrument,with the intention that he or another shall use it to inducesomebody to accept it as genuine, and by reason of so acceptingit, to do or not to do some act to his own or any otherperson’s detriment.

An “instrument” is usually a written document.

However, it can also be “any disk, tape, sound-track or other device

on which information is stored by mechanical, electronic orother means.”

E.g: a forged electronic mail message.

Page 23: Computer misuse

Denying Access to an Authorised User

There are many ways to deny access to an authorised user of a computer:

– shut the machine down;– overload the machine with work;– tie up all the machine’s terminal/network

connections;– encrypt some system files….etc;

Various offences deal with these:– hacking;– unauthorised abstraction of electricity;– improper use of telecommunications services;– unauthorised modification of computer material;

Page 24: Computer misuse

Unauthorised Removal of Information

Under the Theft Act 1968, only property can be stolen, and information is not property.

A floppy disk is protected by law, but the information stored on it is not.

A new offence of misappropriating information seems to be required, but the Law Commission felt that it is not specific to computing.

Such an offence already exists for Government information (under the Official Secrets Act 1989).

Page 25: Computer misuse

IFCC• The Internet Fraud Complaint Center (IFCC) was set up in 2000. The IFCC’s

primary mission is to address fraud committed over the Internet. This is done by facilitating the flow of information between law enforcement agencies and the victims of fraud, information that might otherwise go unreported.

• The IFCC Internet Fraud Report is the first annual compilation of information on complaints received and referred by the IFCC to law enforcement or regulatory agencies for appropriate action.

• The results provide an examination of key characteristics of 1) complaints, 2) perpetrators, 3) complainants, and 4) the interaction between perpetrators and complainants.

The European Cyber crime Convention also covers computer intrusion, forgery, copyright and pornography, but extends current law to:

• define offences related to ‘aiding and abetting’ other offences covered in the treaty;

• formalize the procedure for the search and seizure of computers

• incorporate many of the features of the Regulation of Investigatory Powers (RIP) Act 2000 in relation to forcing the disclosure of decryption keys;

• incorporate UK proposals for the monitoring of networks under proposals for the acquisition and storage of traffic data

Page 26: Computer misuse

Nigerian Letter Scams• One complaint that the IFCC continues to receive in high

volume, and thus merits special consideration, is the well-known Nigerian Letter Scam.

• The Nigerian Letter Scam is defined as a correspondence outlining an opportunity to receive non-existent government funds from alleged dignitaries that is designed to collect advance fees from the victims.

• This sometimes requires payoff money to bribe government officials. While other countries may be mentioned, the correspondence typically names “The Government of Nigeria” as the nation of origin.

• This scam has run since the early 1980’s and is also referred to as “419 Fraud” after the relevant section of the Criminal Code of Nigeria, as well as “Advance Fee Fraud”.

• • Please visit http://www.419eater.com/ for some fun…..

Page 27: Computer misuse

E-Commerce• A sophisticated understanding of computers and internet is no

longer required to successfully crack a company’s computer.

• ID numbers, passwords, credit card numbers, and fraud instruction guides are all available on Internet chat rooms. At the same time, hackers are getting more sophisticated and are finding better and faster hardware and software resources at their disposal.

• Many electronic commerce sites do not adequately protect customer databases and are vulnerable to hackers seeking customer information.

• Cyber sources, a developer of software systems that detect fraud, estimates that as much as 5 to 6 percent of the average Internet retailers transactions involve consumer fraud. Others estimated that credit card fraud on the Internet is as high as 30 percent.

Page 28: Computer misuse

Protection Mechanisms• An Internet firewall is a security mechanism that allows limited access

to your site from the Internet, allowing approved traffic in and out according to a thought-out plan. Today’s Internet security threats range from curious prowlers to well-organised, technically-knowledgeable intruders.

• Without the ability to protect your entire network at its connection point, a network is only as strong as its weakest link, and securing each and every system is a complex and cumbersome job with no guarantee of the success, because of the variety of different operating systems, releases, vendor patches, and administrative domains.

• It is vital that all employees’ passwords are changed regulary. This helps prevent any part timers or contract staff using their knowledge of the computer to there own advantage.

• A record should be kept off all activity on the computer is important as it shows which users have used what file, who was logged into the computer system.

• Today’s Internet-based payment mechanisms based on SSL are roughly as secure as existing mail order/telephone order credit card transactions.

Page 29: Computer misuse

Secure E-Commerce - SET• SET – The Secure electronic standard was published as an open specification and

applicable to any payment service. It address several security needs specific to electronic commerce :

• Privacy of payment and confidentiality of order information transmissions;• Authentication of a cardholder for a branded bankcard account using digital

signature and cardholder certificate;• Authentication of the merchant to accept credit card payments using digital

signature and merchant certificate;• Payment information integrity is ensured by the use of digital signature;• Special purpose certificates;

• The significance of SET over other Internet security protocols is the use of digital certificates that associate the cardholder and the merchant with a financial institution and the visa and master card payment system.

• The use of this digital certificate will prevent a level of fraud that the existing systems do not have and gives the cardholders and merchant confidence that the transaction will be handled in the same manner as credit card transactions today.

• While such technologies are clearly necessary, they do not represent a complete resolution of the trust issue.

• The difference is that lacks a basis for trust in electronic systems from the outset and, therefore, requires proof of its security before being willing to use it.

Page 30: Computer misuse

Conclusion• Computer Fraud is any activity which results in deliberately

sabotage or stealing of information or data present on a computer.

• A company using IT systems determine the impact of a security violation of the organisation's assets and also determine the level of trust that can be placed in the users of the organisation's IT systems. 

• Once a company has taken measures against computer fraud they should become complacent about their security systems.

• Currently approximately 36% of all fraud of fraud is computer fraud.

Page 31: Computer misuse

References•An analysis of computer security safeguards for detecting and preventing international computer misuse (Computer science and technology) -- Brian Ruder

•Computer Misuse Act 1990, Chapter 18, ISBN 0-10-5418900.

•Computer Board paper: Specific Measures to Combat Hacking, March 1989

•Internet Security: Strategies and Solutions. Judith Jeffcoate, Caroline Chappell, Heather Stark, September, 1997

•Simple Guide to Security and Privacy on Your PC, Manon Cassade, April, 2000

•Social Effects of Computer Use and Misuse -- J.Mack Adams, Douglas H. Haden, John Wiley & Sons Inc - December 1976